Contestants set up honeypots and spoof existing robocall-screening technologies.

On Thursday the Federal Trade Commission (FTC) announced the winners of a robocall-defeating contest that the commission held at DefCon in early August. Three groups of contestants each won $3,133.70, and two runners-up each won $1,337 (for being just that elite). The FTC says it receives 150,000 robocall complaints each month, down from 200,000 per month one year ago.

The contest was called “Zapping Rachel,” for the well-known scam in which a pre-recorded woman's voice tells an unsuspecting phone answerer, “Hi this is Rachel at cardholder services." The FTC separated the contestants into Creator, Attacker, and Detective categories—Creator entrants were asked to build a honeypot to lure robocallers, Detective entrants were given the honeypot data and asked to analyze it, and Attacker entrants were tasked with finding honeypot vulnerabilities. Contestants were given between 24 and 48 hours to submit their entries, depending on the category they entered.

For the Creator category, Jon Olawski, who is a software engineering director for an Internet marketing company by day, won the prize. He built a honeypot that used “an audio captcha filter, call detail analysis, and recording and transcription analysis” to automatically rate an incoming call as to whether it came from a robocaller or not. In an e-mail to Ars, Olawski described his idea as “a 10-point 'strike' system,” and if a caller hits a certain number of strikes, that number is known to be a robocaller and can be placed on a blacklist.

The Detective category winners included Yang Yang and Jens Fischer, who will share their $3,133 prize for honeypot data analysis. The algorithm they developed relied on “metrics such as the number of calls made, whether the number called was a toll-free number, and the time of the call to identify likely robocalls.”

The winning honeypot ideas are similar to two projects that won last year's $50,000 robocall contest from the FTC. In that contest, the two winners separately built systems to blacklist and whitelist incoming calls using a CAPTCHA-style test. One system created an option to disconnect phone calls that failed the test and were not coming from a white-listed number. One problem with these systems is that it's tough for an algorithm to tell legal robocalls from illegal robocalls. Robocalls are generally legal if they're from charities, political organizations, or pharmacies notifying customers that their prescriptions are ready.

More work to do

Jan Volzke, founder of a company called Numbercop, which tracks and blocks voice and text spam messages, won in the Attacker category. By acting as an illegal telemarketer for a day or two, Volzke hoped to point out the weaknesses in the FTC's winning honeypots. His system for circumventing a honeypot relied on “a four-step targeting process that screens out phone numbers potentially connected to a honeypot,” an FTC press release says.

Further Reading

US gov't names winners of contest to build the best robocall-blocking system.

Volzke, who works on this problem professionally, told Ars in a phone conversation that at DefCon, the FTC's focus was a bit too narrow.

“The FTC was very focused on robocalls, while what we are seeing in the threat landscape is that those guys have long connected text messages and callback numbers, and voice mechanism detection will only catch a very small percentage of the market because these attacks are connecting to mobile phones directly," he said.

If malicious callers avoid landline numbers, Volzke said they “reduce the number of numbers that [they] dial, but [their] response rate goes up.”

“There's one particular area that's really interesting,” he continued. “[Malicious telemarketers] send a text and include a callback number that leads to an automated recording.” Through that channel, the robocallers have more success getting personal information like credit card numbers and so forth. Volzke's company has recently collected a number of calls in which the scammer sends both a voice message and a text at the same time, which could lend the message (false) legitimacy for some.

Although the FTC is still focused on diminishing robocalling in general, Volzke says that it has to take a few proactive steps to truly reduce the plague of illegal telemarketing, starting by “applying honeypot analysis on live cellphone networks—these must be cellphones and not landlines.” Volzke told Ars that to catch robocallers, it's necessary to “spread out your honeypot across multiple networks; they can be computers with SIM cards—it doesn't need to be a physical device.” In addition, “on those cellphones you also need to check for text messages.”

Finally, the FTC needs to gather information from people being scammed worldwide. “These guys are acting internationally...we actually believe that this is not a large amount of people that are doing this, it's a handful of guys,” Volzke said, adding that it's also time for network carriers to chip in to diminish robocalls. “Law enforcement can only do so much."

"There are historic reasons” why carriers don't do much to stop robocallers, Volzke said. “For a long time carriers had a mandate to connect a call,” but with the changing mobile landscape, new agreements must be considered.

51 Reader Comments

I still don't understand how hard it'd be for the FTC to set up a network of honeypot numbers staffed by the same people who happily work as JetBlue reservation or the many other ad-hoc “call centers.” You might call it the Uber-ization of honeypot work: get a bunch of operators with basic skills to work the phones.

This works because EVERY call touting a service to a Do Not Call number is illegal and you don't have to log too many calls from mortgage brokers, PC service firms, etc., before they cannot continue their scammy techniques. So what if you have to pay the operators $10 per hour? Your biggest cost would be from the paralegals who'll track down the owner of the 800-callback number and serve them with a summons.

I'm a big fan of computers taking over mundane jobs, even ones like driving that are pretty challenging. But why not enforce existing, useful laws with a cadre of the at-home who'd benefit from a little income, more than paying for themselves via the fines and benefit to the rest of us who will be spared the illegal and probably fraudulent “marketing.”

I confess I might not be understanding the problem but ... I have a box on my home phone line that intercepts incoming calls and plays a recording that asks telemarketers and canvassers to press 1 and personal callers to press 2. Telemarketers receive a pleasant message informing them that their call is not welcome. Only people who press 2 cause the house phone to ring. This cost $10 about 20 years ago. In that time only one telemarketer went the wrong way. As for cell, I don't answer unless the number is in my contact list. Am I an outlier ?

This works because EVERY call touting a service to a Do Not Call number is illegal and you don't have to log too many calls from mortgage brokers, PC service firms, etc., before they cannot continue their scammy techniques. So what if you have to pay the operators $10 per hour? Your biggest cost would be from the paralegals who'll track down the owner of the 800-callback number and serve them with a summons.

Good luck with trying to get the scammers to actually identify themselves. "What company are you calling from?" usually gets a generic answer, such as "The security company". When you press them, they know you aren't buying and just hang up.

One problem with these systems is that it's tough for an algorithm to tell legal robocalls from illegal robocalls. Robocalls are generally legal if they're from charities, political organizations, or pharmacies notifying customers that their prescriptions are ready.

That's not a problem. There is no function served by useful robocalls that cannot be better served by some other means of delivering information, such as text message, email, etc. And as for charities and political organizations, I don't care, get off my phone line if you can't be bothered to have a human call me.

One problem with these systems is that it's tough for an algorithm to tell legal robocalls from illegal robocalls. Robocalls are generally legal if they're from charities, political organizations, or pharmacies notifying customers that their prescriptions are ready.

That's not a problem. There is no function served by useful robocalls that cannot be better served by some other means of delivering information, such as text message, email, etc. And as for charities and political organizations, I don't care, get off my phone line if you can't be bothered to have a human call me.

Not quite. Robocalls are also used for emergency warnings, power outages, gas leaks, etc. Many people don't take texts, and many municipalities/ government offices/ power companies don't have email addresses. Thankfully.

What I don't get is why it's so hard to back-track calls. Telephony is a digitally-switched network, so packets have to be routed through them, and so it should be fairly simple to tell where a call is connecting in from.

The problem with white/blacklists is that it's trivially easy for the scammers to spoof numbers. I have a long list of blocked numbers on my phone. Works for a month, and then the numbers change. Lately they've even been sophisticated enough that the numbers appear local, just a few numbers off from my number.

I was thrilled to hear that iOS would finally allow number blocking. Problem is, it just shunts the call to VM, which leaves an 18 second snip of the recording. My new blocking method is going to be an air horn. Press 1 to get a live operator, wait to hear the person, let the horn go. See how long it takes for my number to go on their own blacklist.

The problem with white/blacklists is that it's trivially easy for the scammers to spoof numbers.

And this is why the FTC and FCC need to team up and devise a regulation that requires the major phone companies to enforce the caller-ID reporting of actual physical callable numbers associated with the account in question. In other words, if you spoof, you can't place a call.

I confess I might not be understanding the problem but ... I have a box on my home phone line that intercepts incoming calls and plays a recording [snip]. As for cell, I don't answer unless the number is in my contact list. Am I an outlier ?

I don't have a home phone, I only have a cell phone.

I also don't answer any call unless I know who they are, but around half of my legitimate calls are from someone who has called id disabled. Including my dad and also pretty much every company who ever needs to contact me for some reason.

I basically end up using voicemail a lot, which stinks. Also it doesn't work if the person on the other end had the same practice as me. I'd call them back, and they wouldn't answer. I leave a message, they call me back, I don't answer... yeah.

The problem with white/blacklists is that it's trivially easy for the scammers to spoof numbers.

And this is why the FTC and FCC need to team up and devise a regulation that requires the major phone companies to enforce the caller-ID reporting of actual physical callable numbers associated with the account in question. In other words, if you spoof, you can't place a call.

And how are FTC and FCC regulations going to fix the issue for callers originating in a different country?

I have GIVEN UP on filing DNC list violation complaints, as they haven't done a damned bit of good. I get calls from the SAME number daily, sometimes several times a day, EVEN though I never answer a call from a number I don't recognize, and say so in my announcement.

I have GIVEN UP on filing DNC list violation complaints, as they haven't done a damned bit of good. I get calls from the SAME number daily, sometimes several times a day, EVEN though I never answer a call from a number I don't recognize, and say so in my announcement.

If it's the same number, maybe it's legit? Pick up the phone and find out. If it isn't, just block calls from that number. It's only difficult when the numbers are always changing.

This works because EVERY call touting a service to a Do Not Call number is illegal and you don't have to log too many calls from mortgage brokers, PC service firms, etc., before they cannot continue their scammy techniques. So what if you have to pay the operators $10 per hour? Your biggest cost would be from the paralegals who'll track down the owner of the 800-callback number and serve them with a summons.

Good luck with trying to get the scammers to actually identify themselves. "What company are you calling from?" usually gets a generic answer, such as "The security company". When you press them, they know you aren't buying and just hang up.

Even better luck getting a robocaller to identify himself. I scream at them till I'm blue in the face and they still continue to mindlessly stick to the scrip. I'm guessing one of the three laws prohibit them from responding or something.

Sometimes I really don't these issues where technical solutions are used to try and solve a non-technical problem.

Robo-calling is not a technical problem; it's a legislative problem.

Just ban unsolicited robo-calling. Politics and charity don't need unsolicited contact with people over the phone. People that want information can find information. It's not that hard. Also there are plenty of other ways people can be contacted to 'reach' them; i.e. robo-calling isn't necessary.

So just ban unsolicited robo-calling, with the single exception being in case of emergency by a government agency.

Heck, it should go even further. Just ban any unsolicited calls, robot or machine, unless there's an existing (business) relation. In the Netherlands we 'almost' have this. The only difference is that ours is opt-out instead of opt-in and has a required renewal every three years.

I have GIVEN UP on filing DNC list violation complaints, as they haven't done a damned bit of good. I get calls from the SAME number daily, sometimes several times a day, EVEN though I never answer a call from a number I don't recognize, and say so in my announcement.

My iPhone 4 has a "block caller" option. I realize these guys use a new number *almost* every time, but I used to get repeat calls from the same number and those aren't happening any more.

The robocalls seem to come in waves. I'll get several and then none for a month or two, then they'll start again. Weird. And I get 'em on my cell phone as well as my land line.

SMS spam has gone away...AT&T has a spam SMS forwarding number (7726) that seems to be working. Haven't seen an SMS spam for at least a year. But those come in waves, too.

I like the new robocall that spoofs the CallerID as my actual name and home phone number. Makes me question if I'm living in some Inception-esque Doctor Who episode. I don't know who you are, shady telemarketer, but kudos; I'm now questioning reality and my own sanity.

All these folks that won't answer the phone unless the caller is on your contact list - what? What phone number do you put on your resume? what number do you give out in a club? what if your friends move and get a new number?

Seems like some insane technical solutions at the consumer level, when technical solutions exist at the service provider level, they just aren't enforced/mandated/in use/required.

I nearly never get phone calls now. The few I get are companies I have business with, or occasional robo-caller. Friends and family text me.

I don't answer calls from unknown numbers - they go to voicemail. My voicemail message does not mention my name.

I have only a cell phone. It is silenced at night or when I don't want to be disturbed. My phone is for *my* convenience. It took years for my mindset about phones to change. I used to run for the phone (landline) when it rang. We have so many other ways to communicate now, why should I care much about phone calls.

Full disclosure: I entered the original contest and was not selected. My approach was called "Murphy" after RoboCop.

A variety of my competition had in effective techniques. Some based it all on caller ID, which can be spoofed.

The only really workable solution is to (as I submitted) sample the audio of the call, finger print it (a la SoundHound, Shazam, et.al.) and compare it to known spam calls. Then, because everyone's phone does this, we would have a live spam database can can respond to the spam after a threshold is crossed. When the spam call is identified it simply hangs up.

This would end robocalls forever. If they cannot get their message out before disconnect, they cannot make a sale, and the financial motivation for the robocall is removed.

Sometimes I really don't these issues where technical solutions are used to try and solve a non-technical problem.

Robo-calling is not a technical problem; it's a legislative problem.

Just ban unsolicited robo-calling. Politics and charity don't need unsolicited contact with people over the phone. People that want information can find information. It's not that hard. Also there are plenty of other ways people can be contacted to 'reach' them; i.e. robo-calling isn't necessary.

So just ban unsolicited robo-calling, with the single exception being in case of emergency by a government agency.

Heck, it should go even further. Just ban any unsolicited calls, robot or machine, unless there's an existing (business) relation. In the Netherlands we 'almost' have this. The only difference is that ours is opt-out instead of opt-in and has a required renewal every three years.

The problem with white/blacklists is that it's trivially easy for the scammers to spoof numbers.

And this is why the FTC and FCC need to team up and devise a regulation that requires the major phone companies to enforce the caller-ID reporting of actual physical callable numbers associated with the account in question. In other words, if you spoof, you can't place a call.

I agree fix the call spoofing and you fix the problem. The reason the “Do Not Call List” doesn’t work is with call spoofing there is no accountability if you violate it. I would suspect that no legitimate charity, political campaign or business would spoof a number for caller ID, meaning pretty much all marketing calls with spoofed numbers are out to get your SSN for identity theft.

I have even seen anecdotal accounts that shady telemarketers actually use the “Do Not Call List” as a database of known working numbers, again because there is no accountability when spoofing the caller ID. In reality they wouldn’t even have to do that. In our 10 digits phone numbers, 3 are known Area Codes and 3 more are known prefixes in those Area Codes. A number generator and an automated dialer can spin through the 10,000 possible variants in a few hours. This is why some calls hang up immediately. They are building a database a good numbers.

This works because EVERY call touting a service to a Do Not Call number is illegal and you don't have to log too many calls from mortgage brokers, PC service firms, etc., before they cannot continue their scammy techniques. So what if you have to pay the operators $10 per hour? Your biggest cost would be from the paralegals who'll track down the owner of the 800-callback number and serve them with a summons.

Good luck with trying to get the scammers to actually identify themselves. "What company are you calling from?" usually gets a generic answer, such as "The security company". When you press them, they know you aren't buying and just hang up.

Even better luck getting a robocaller to identify himself. I scream at them till I'm blue in the face and they still continue to mindlessly stick to the scrip. I'm guessing one of the three laws prohibit them from responding or something.

The last time I answered a robocaller (like the "Windows technical support" written about in ARS previously but now claiming a new company name) I asked the caller how he felt about being a crook. He was really offended and started out by claiming he wasn't a crook, but didn't really have an answer when I explained to him that since the company he worked for was misrepresenting itself and what it was doing which was illegal he was a member of a criminal organization and therefore a crook. At one point, when I said something about his company scamming people, he said "he scammed hundreds of people and what was I going to do about it?" I haven't gotten a call back from them, though.

Full disclosure: I entered the original contest and was not selected. My approach was called "Murphy" after RoboCop.

A variety of my competition had in effective techniques. Some based it all on caller ID, which can be spoofed.

The only really workable solution is to (as I submitted) sample the audio of the call, finger print it (a la SoundHound, Shazam, et.al.) and compare it to known spam calls. Then, because everyone's phone does this, we would have a live spam database can can respond to the spam after a threshold is crossed. When the spam call is identified it simply hangs up.

This would end robocalls forever. If they cannot get their message out before disconnect, they cannot make a sale, and the financial motivation for the robocall is removed.

Again, this is the only real solution, but was not selected.

I don't think it's the only solution. It's not a bad solution, but if it was widespread I would expect robocalls to start using variable background music, multiple voices, randomized sequencing, etc.

“There's one particular area that's really interesting,” he continued. “[Malicious telemarketers] send a text and include a callback number that leads to an automated recording.” Through that channel, the robocallers have more success getting personal information like credit card numbers and so forth. Volzke's company has recently collected a number of calls in which the scammer sends both a voice message and a text at the same time, which could lend the message (false) legitimacy for some.

The hell?

"Oh, it's a spam telemarketer, I'm going to hang up on them."

"Oh, it's a spam telemarketer who also sent me a text, it must be legit so I will certainly give them all of my credit card information."

What I don't get is why it's so hard to back-track calls. Telephony is a digitally-switched network, so packets have to be routed through them, and so it should be fairly simple to tell where a call is connecting in from.

I can assure you it is not that easy. I invite you to google "rural call completion". It is almost impossible for the terminating telephone company to back track to the originating telephone company, given the myriad of intermediaries.